On Tue, 28 Jul 1998, Stephen Briggs wrote:
> The write-up is great. I'll get into it now. Thanks you for all of your
> assistance.
Happy to help.
> I have one more question for clarification, though..
>
> With the setup now, I must do masquerading. If I were to use the machines on
> the network with the IP addresses they have now (the xxx.xxx.xxx.10-127), and
> reassign eth1 to xxx.xxx.xxx.04, could I just use the filtering at that point?
Yes, but keep reading.
> I actually abandoned this method of attack, because I could not get both eth0
> configured at xxx.xxx.xxx.3 and eth1 as xxx.xxx.xxx.4 and have both working
Standard IP networking frowns on this, but again, keep reading.
> properly (possibly due to the sharing of the interrupt?-the machine is PCI, and
> I noticed the interrupt sharing earlier, but it seemed to work, so I dismissed
> it).
(Interrupt sharing on PCI cards is probably fine, especially since
they're identical cards, so they use the same driver).
The problem here is one of subnets. In your original design, eth0
(the real IP address that talks to the outgoing router) is part of a
"half-class-C" (255.255.255.128) network. The router at the other end of
that connection knows this fact. Whenever it wants to talk to
xxx.xxx.xxx.10, it assumes that .10 is directly connected to the cable
running from your firewall to itself, rather than being on the remote
ethernet cable only reachable by going through your firewall.
To accomplish what you describe, one of two things has to happen.
1) Get your provider to assign you an additional block of
addresses (4 addresses; 255.255.255.252 will do if there are no other
machines outside the firewall) for the network between the firewall and
that next hop router. The two IP addresses in the middle of this block
will be assigned to your firewall and the router. The .128 block you
already have can be used for your private machines.
Could this outside block be reserved addresses, further saving
limited real addresses? The short answer is no, because the firewall
needs its own real address on the outside to be able to talk to the real
world. It is possible to convince a linux box to use its inside (real)
address when it's talking to the real world, but it involves playing games
with the network addressing and routing. Avoid this if you can. I have
more details if this really appeals to you.
2) Continue to use your existing address block on the outside of
the firewall. Have any mix of xxx.xxx.xxx.10-27 addresses and 192.168.2.y
addresses on the inside. To do this, you'll need to have your firewall
perform proxy-ARP for the real IP's inside (note that the "proxy" in proxy
ARP has nothing to do with firewalling).
In effect, when the outbound router sends out an Ethernet
broadcast saying "I need to talk to xxx.xxx.xxx.10; who has that MAC
address?", your firewall will lie and tell the outbound router that it
(the firewall) is xxx.xxx.xxx.10. The router will simply hand off those
packets to the firewall, which then sends them on to the _real_
xxx.xxx.xxx.10. Likewise for .11, .12, etc. The outbound router can
continue to believe that all of the real addresses are on the outside
cable, when in fact some are on the inside cable.
I think there's a proxy-arp howto on Sunsite; check back with me
if there isn't or you'd like additional help on setting this up.
(http://sunsite.unc.edu/linux/HOWTO)
_However_, the fact that it can be done doesn't make it a good
idea :-(. Here's why I think so; you'll have to decide if these reasons
apply to this particular situation:
1) The fact that you're using reserved addresses for your client
machines is, all by itself, a firewall technique that makes it harder to
contact those machines.
2) Using reserved addresses for machines that do not act as
publicly visible servers is considered responsible use of a limited
resource (the IPV4 address space).
3) The firewall rule set for the proxy-arp approach could be a
living nightmare of packet rules, at least in the case where there are
mixed real and reserved IP's on the same network cable. (Granted, Mason
would help, but it would still be tough).
4) Having a mix of real and private IP's would make it
just a little easier for someone to come in from the outside world and
jump from a real IP'd machine to a reserved IP machine (leapfrogging
attack). This is even more likely if you run publicly visible servers on
your inside cable.
For this reason, I'd encourage the use of the following:
Web Mail
W1 W2 W3 Server Server
| | | Masq | |
+----+----+----Firewall-----+--------+---------------Router
.12 .34 .35 .1 .3 .10 .16 .1
----192.168.2.x--- -------------xxx.xxx.xxx.yyy---------
Your inside machines get better protection than they'd get with
real addresses, you still get to public servers, you have some control
over what goes out, etc. On the other hand, I understand that this model
doesn't serve every situation.
> Thank you once again!
No problem. Keep me posted.
Cheers,
- Bill
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns ([EMAIL PROTECTED])
Mason, buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
